TUCoPS :: Windows :: v7-2234.htm

WMF browser-ish exploit vectors
WMF browser-ish exploit vectors
WMF browser-ish exploit vectors



Here, let's make the rendering issue simple:

Due to IE being so content help-happy there are a
myriad of IE-friend file types (e.g.-.jpg) that one
can simply rename a metafile to for purpose of web
exploitation, and IE will pull out the wonderful hey;
you're-not-a-jpeg-you're-a-something-else-that-I-can-
-automatically-handle trick err /feature/ for you.

Windows Explorer/My Computer preview/thumbnail thingy=IE
for purposes of rendering engine.

Stocking Stuffer Sploit-use Samples:

http://sharepoint2003/bizdir/your_custom_folder_icon.jpg 

http://yourcorp_web_based_DMS/surprise_not_a.doc 

etc.

For your experimentation pleasure, I have benign JPEGs
and one WMF with modified extension names found here:

http://www.anachronic.com/xss/ 

Examples include WMF file skatebrd.wmf ~renamed~ skatebrd.doc
candy is a JPEG also renamed doc, and win32api is a JPEG
renamed to wmf. Mix and match to your hearts content. 

http://www.anachronic.com/xss/skatebrd.wmf http://www.anachronic.com/xss/statebrd.jpg 

and

http://www.anachronic.com/xss/win32api.jpg http://www.anachronic.com/xss/win32api.wmf 

and so on and so forth. These are only posted for those of
you who need to make this RealSimple(tm) to someone, or
validate what things do auto/magicbyte rendering. 

You may reach me by using my first name at the domain listed
in the links above with threats, complaints, or creative uses
for the WMF rendering issue.

Merry Metafiling,

-ae








TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH